Excellent Eugene, that's pretty much what I had in mind, although not as accurate. Thanks for providing the code.
Maurice -----Message d'origine----- De : Eugene Ramirez [mailto:[email protected]] Envoyé : dimanche 6 avril 2014 02:26 À : [email protected] Objet : Re: access PDF doc from inside Flex app but not outside? I have files stored on the server which can either be inside a database or some other file the servlet has access but not under the public_html directory and while I'm using JBOSS the servlet is the one that returns the file the user has requested. The piece of code the servlet executes is: //find out the filename using some logic and checking if the user has access rights //once I have it I execute the following code: File file=new File(filename); if (file.exists()){ resp.setContentType("application/x-download"); resp.setHeader("Content-Disposition", "attachment; filename=" + clientFilenameToBeSavedAs); returnFile(filename, resp.getOutputStream()); }else{ //System.out.println("file DOES NOT exist:" + filename); //error handling goes here } returnFile method public static void returnFile(String filename, OutputStream out) throws FileNotFoundException, IOException { InputStream in = null; try { in = new BufferedInputStream(new FileInputStream(filename)); byte[] buf = new byte[4 * 1024]; // 4K buffer int bytesRead; while ((bytesRead = in.read(buf)) != -1) { out.write(buf, 0, bytesRead); } } finally { if (in != null) in.close(); } } My FLEX code that will call the servlet method: private function startDownloadingFile(attachment:Attachment):void{ if (_downloadFileRef==null) _downloadFileRef=new FileReference(); var req:URLRequest=new URLRequest(SERVER_URL); var variables:URLVariables=new URLVariables(); variables.command=DOWNLOAD_ATTACHMENT; variables.attachmentId=attachment.id; variables.sessionId=Params.getInstance().get("sessionId"); req.data=variables; _downloadFileRef.addEventListener(ProgressEvent.PROGRESS, downloadFileRef_progress); _downloadFileRef.addEventListener(Event.COMPLETE, downloadFileRef_complete); _downloadFileRef.addEventListener(Event.CANCEL,downloadFileRef_cancel); try{ mx.managers.CursorManager.setBusyCursor(); _downloadFileRef.download(req,attachment.filename); }catch(error:Error){ mx.managers.CursorManager.removeBusyCursor(); Alert.show("unable to download file","Error downloading file"); } } Note: My user has already been authenticated by the server and has a sessionId that is unique to the user. On the server I have this sessionId stored with a reference to the user. Anytime someone wants to download a file I check the sessionId and see if its: 1) Valid 2) The filename the user is trying to download has access to download the file The servlet goes and gets the file that is not in a public directory and sends it over. Others might have a different method of doing this but this works for me. Hopefully this helps. Ruben On Fri, Apr 4, 2014 at 3:28 PM, Maurice Amsellem < [email protected]> wrote: > >how does the servlet open the PDF in a new (client) browser window > It's not the servlet, it's the flex app that is responsible of opening > the new window. > The servlet will simply read the bytes of the PDF file and write them > to the output stream, as if it was a static file (that what the http > server does actually) > > > And when it does open the PDF in a new browser window, wouldn't the > > full > URL including token be shown in the browser (if so, someone could copy > this URL and e-mail to someone else to open it)? > The "security token" would be valid for the current user session only. > You could for example use the jsessionid as a key (or something similar). > So if someone else that is not logged tries the same url, it will not work. > > Maurice > > -----Message d'origine----- > De : [email protected] [mailto:[email protected]] Envoyé : > samedi 5 avril 2014 00:23 À : [email protected] Objet : Re: access > PDF doc from inside Flex app but not outside? > > I call a few Java servlets in my app using HTTPService(), although my > app is not contained in a JEE Web App as far as I know. > > Let me see if I follow... the servlet is called from within Flex using > a specific URL. I can append some text representing a "security token" > on that URL, which the servlet validates then ... hmm, how does the > servlet open the PDF in a new (client) browser window (maybe you can > refer me to a specific command I can research to figure that out)? > > And when it does open the PDF in a new browser window, wouldn't the > full URL including token be shown in the browser (if so, someone could > copy this URL and e-mail to someone else to open it)? > > > ----- Original Message ----- > > From: "Maurice Amsellem" <[email protected]> > To: [email protected] > Sent: Friday, April 4, 2014 3:05:50 PM > Subject: RE: access PDF doc from inside Flex app but not outside? > > Then the PDF files would be stored in the private area of the web-app > (under WEB-INF) , so they can't be accessed directly. > > There are probably variants of this, but I think you get the idea. > > -----Message d'origine----- > De : Maurice Amsellem [mailto:[email protected]] > Envoyé : samedi 5 avril 2014 00:04 > À : [email protected] > Objet : RE: access PDF doc from inside Flex app but not outside? > > If your app is contained in a JEE Web App, you could probably write a > servlet to download the PDF securely, using a "security token" or something. > The Flex App would simply request the servlet through its url to get > the PDF, and pass it the security token. > > Makes sense ? > > Maurice > > -----Message d'origine----- > De : [email protected] [mailto:[email protected]] Envoyé : > vendredi 4 avril 2014 23:45 À : apache flex users Objet : access PDF > doc from inside Flex app but not outside? > > I have a desktop Flex app that users register and login. I need to > provide these users access to technical documents in PDF format. > However, I don't want to put these docs in my server's public_html > directory because then any visitor can potentially view them. Is there > any way for the Flex app to open these PDF files in a new browser > window, while preventing their access by website visitors? That is, > the files can only be opened when logged into the app, and not by > copying and pasting a link in an email that goes to someone else for them to > open in any browser. > > I understand the user can simply download the PDF file and e-mail it > if he/she really wants to (I'm just trying to make it a little more > difficult). > > I was thinking maybe there was a way to place the PDF files somewhere > in the Java application server since only Flex has access there (a > firewall blocks website visitors). Thought maybe someone ran into this > before and could help me see what's possible. > >
